Beacons are starting to be deployed to provide micro-location information to receivers, which in-turn, can be used to invoke location-based applications. For example, beacons (BLE, iBeacon, etc.) tag physical objects and locations economically, with active broadcasts to facilitate contextualized, customized content or services to be delivered to users' mobile devices. Beacon identification (ID) picked up by user devices would guide them to look up and download detailed information of the tagged object. Correct content and service delivery hinges on that beacons are deployed correctly according to a prescribed constellation mapping beacon IDs. However, the correct operation of beacon technology could be disrupted by cyber or physical threats, that is, spoofing attacks and re-shuffling attacks respectively.
Shuffling beacons leads to “wrong” spatially-specific information to user devices. Typically, beacon IDs should be available to all people to guide them to look up correct content. But this also undesirably makes the job of the attacker easier. There is no defence mechanism available to protect beacons from shuffling attack. A spoofing attack eavesdrops (lunch-time attack vs. adaptive query) all beacon IDs and plays them back at wrong locations. A more sophisticated attack could craft the beacon data before retransmission.